Re: Proposal to apply mask to IP address set on rule

["Greg A. Woods" <woods%planix.ca@localhost>]

At Sat, 24 May 2025 20:29:45 -0000 (UTC), mlelstv%serpens.de@localhost (Michael van Elst) wrote:
Subject: Re: Proposal to apply mask to IP address set on rule
>
> Access lists for Squid and Varnish web caches both warn you about
> about a bad subnet definition with nonzero host part and tell you
> how they "fix" it (by zeroing the host part).

Hmmmmm... I'm surprised about Squid doing that -- but I haven't used it
for over 20 years now, so I don't remember much about it.  The notes in
the sample conf file don't exactly lead one to think it will even
complain though -- it seems to explicitly claim to allow any address in
the subnet -- a "client's address", or a "host's address" is/are not
ever (by definition) a network address!

#       acl aclname src ip-address/netmask ...  # clients IP address [fast]
#       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
#       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
#       acl aclname myip ip-address/netmask ... # local socket IP address [fast]

I probably only used /24 subnets back then though so I wouldn't likely
have ever needed to create an acl with anything other than the subnet's
network address.  It's also easier to know the network address when such
ACLs are usually all for locally controlled subnets.


> Wireguard warns you about a nozero host part (probably then
> ignores it then).

Dunno if that's a good example, but I guess it is an example.  :-)

> libwwrap (tcpwrappers) warns you about non-zero host bits

I had meant to check libwrap -- I had a funny feeling in the back of my
head about it....

Yeah, that warning was added in the NetBSD version only:

revision 1.12
date: 2002-04-04 11:50:27 -0800;  author: atatat;  state: Exp;  lines: +14 -3;
Log a warning if the address (n) has more significant bits than the
netmask (m) in a entry of the form "n.n.n.n/m.m.m.m".

and then I removed it again in my local copy.  :-)


> (and ignores them).

No I think that there is actually a bug in the expression that test the
match, (and without fixing it, that would warrant not just a warning but
an actual error failure in view, but of course it should just be fixed!)

The test expression should be:

    return ((addr & mask) == (net & mask));


--
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpB6ewvsO_si.pgp
Description: OpenPGP Digital Signature